Re: [Shorewall-users] Allowing connections from other machines on the LAN

Mon, 23 May 2016 10:56:33 -0700 

On 23/05/16 18:36, Matt Darfeuille wrote:
> On 23 May 2016 at 17:09, Bob Williams wrote:
>
>> Hello,
>>
>> I'm new to shorewall. I am running shorewall on my openSUSE Linux PC
>> which connects to the Internet through a Draytek router. There are other
>> machines in the house using the same router but 'outside' this firewall,
>> and I want some of them to be able to access a web2py server on port
>> 8081 running on the desktop PC which is running the firewall (ie. they
>> will connect through the LAN).
>>
>> I have added the MAC addresses of these machines to
>> /etc/shorewall/maclist but they still get rejected.
>>
>> /etc/shorewall/zones contains these lines
>>
>> #ZONE        TYPE            OPTIONS         IN                      OUT
>> #                                    OPTIONS                 OPTIONS
>> fw   firewall
>> net  ipv4
>>
>> /etc/shorewall/interfaces contains
>>
>> #ZONE                INTERFACE               OPTIONS
>> net          eth0                    maclist
>>
>> /etc/shorewall/policy contains
>>
>> #SOURCE      DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
>> #                            LEVEL   BURST           MASK
>> $FW  net     ACCEPT
>> net  all     DROP            info
>> all  all     REJECT          info
>>
>> /etc/shorewall/rules contains
>>
>> ?SECTION NEW
>> ACCEPT      net         $FW         tcp     8197
>> Rsync(ACCEPT)   net  $FW
>> ACCEPT      net         $FW         tcp     8081
>> Ping(DROP)  net         all
>>
>> and /etc/shorewall/maclist contains
>>
>> #DISPOSITION INTERFACE               MAC                     IP ADDRESSES 
>> (Optional)
>> ACCEPT eth0 B4-CE-F6-9D-30-D5 192.168.1.12
>> ACCEPT eth0 44-1E-A1-F9-5F-18
>> ACCEPT eth0 00-22-5F-04-6F-06
>> ACCEPT eth0 00-21-9B-DB-45-D4
>> ACCEPT eth0 E8-99-C4-8E-BC-A5
>> ACCEPT eth0 5C-E0-C5-B7-3F-3B
>> ACCEPT eth0 76-2C-D8-7B-BC-50
>>
>> Do you need any other information? Log file?
>>
>> Many thanks,
>>
>> Bob
>>
>
> Hi Bob,
>
> The maclist option is not needed in your case.
>
> To only allow specific machines to access the firewall's net zone do:
> ACCEPT net:ip,ip,ip $FW tcp 8081
>
> More examples are on shorewall.org.
>
> -Matt
>
Hi Matt,

Many thanks. I'll try that.

Bob



-- 
Bob Williams
    System:  Linux 4.1.20-11-default
    Distro:  openSUSE 42.1 (x86_64)
    Desktop: KDE Frameworks: 5.21.0, Qt: 5.5.1 and Plasma:

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to